Java application opens secure access to sensitive court data
Providing law offices and citizens with specific data on court schedules and other judicial information without compromising security was the challenge Robert McDonald faced architecting Court Services Online.
As director, application management services for the attorney general’s office in British Columbia, he needed to link relatively new J2EE-based applications with both legacy systems and Microsoft .NET systems. Because court scheduling is highly dynamic with events such as dates for proceedings frequently changing, all the information needed to be delivered to law offices, citizens and news media in real time, McDonald says.
"Just to put it in context we have an integrated civil and criminal justice system," he explains. "It’s one of the largest in North America. (covering the entire province of British Columbia). We’ve started to build public interfaces so citizens can get access to the public information like future appearance dates or civil litigation material."
Because of the dynamism of the system with judges making changes to schedules, McDonald says an offline database wasn’t workable "because information can change on a moments notice."
So Online Court Services needed to provide a Web-based application for individuals to retrieve only the information that pertained to them while protecting all the sensitive data from unauthorized access.
McDonald said the Java programmers in his shop had little trouble linking the civil and criminal computer systems based on Oracle’s implementation of J2EE with older legacy systems, as well as a Microsoft .NET system used by a separate judicial branch. Security was the major challenge and he tackled it with the latest technology, including Layer 7’s SecureSpan, which provides a network pluggable appliance for central administration of security policies. McDonald carefully developed those policies to assure that confidential information didn’t slip through the gateways.
"There’s a number of different security aspects that we’ve applied here," he says, reviewing the Web services architecture. "Number one from a services side we’ve specifically configured certain services that actually provide information. So for instance, if a law office wants to get their client’s future appearance dates, that’s not public information. It’s private information between a client, the court and the lawyer that’s specifically handling that case, so when a lawyer signs in and gets access to that, the service that we customized in the application only provides that information."
Beyond firewalls and gateway security appliances, the key to security is that services only return highly specific information based on the user’s ID, McDonald explains.
"From the Web services perspective, we apply policy where we actually say that only certain individuals can do certain things," the chief architect says. "It has to be a lawyer or a citizen with an ID. They can’t just come through there with a generic ID."
Using XML technology such as schema validation, the system prevents a hacker from getting through with a bogus XML message.
So far the careful application of security has helped Court Service Online manage to not be a victim of its own success.
This past summer, McDonald launched the system on a trial basis with selected law offices and media outlets, but when the application was opened to all lawyers, media and citizens with court business, usage exploded.
"We’ve kind of exceeded our expectations from the number of citizens and lawyers in the province that are actually using Court Services Online," he says. "We thought maybe in six months there’d be mass usage. But we’re actually seeing significant uptake right off the bat."
Rich Seeley is Web Editor for Campus Technology.